Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00
Juhamatti Kuusisaari <juhamatk@gmail.com> Wed, 04 November 2020 05:11 UTC
Return-Path: <juhamatk@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9494D3A1417 for <tcpm@ietfa.amsl.com>; Tue, 3 Nov 2020 21:11:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UT9lquzi6Z9w for <tcpm@ietfa.amsl.com>; Tue, 3 Nov 2020 21:11:38 -0800 (PST)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15B803A1418 for <tcpm@ietf.org>; Tue, 3 Nov 2020 21:11:37 -0800 (PST)
Received: by mail-io1-xd2c.google.com with SMTP id s10so6661483ioe.1 for <tcpm@ietf.org>; Tue, 03 Nov 2020 21:11:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=njg2xofiCSn0475UAwFgE5WQzbOyOsGXXoL90LcIpk4=; b=vLKnOJv5rsDfNPpbtYQyWKSbnu4Yuq4IE+NjLVq2uaUiKEtZt+t8jKoLFH62VUHOgx hBK1kkmm6GN79T0ZF5OTYyA23IZ/0A7Giyl0FNeojqzLTN8hFllQYX6BPjuCwCkmSmWR U75a43I8zZU+NsmVUtlAvPv6BEhBBV7GFoY2as/yl2wAGH9u4l4P6zLD4RVavOngvZ3S HN9Vd2qvqlMBkHojv0v462J8v4CRCQGyaycHUBk9grGaTBN8ZMXhHXPF2/8h4OvqNyfP t8683ACw89mcnNshaAUzSnYbfcx0Y3rU+MFUnoD50+zOuDoDWR7CXvzemC8xzYeWlRsS rK9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=njg2xofiCSn0475UAwFgE5WQzbOyOsGXXoL90LcIpk4=; b=r+RrcClgozGDu7/6I3cXbfpCFUUDcgXJgFQgw7pcEIyBwBQ9oJ79O+tn7wdybl1w16 /rQcpvhxn7Zlezsbjxxknu8iWKSwMg7Y7Q9hdbeCHpMFt5mmdJXb0JRari+kWLXkDe7m KQjMbUze+MCuhy2p7MfSnCyAzWbNY5VF4ZEpuvVeIBj4oHlqRkRM9uWFO2lag6WSgJd9 zT7rSyOF1NE84FzCkTApLJrA5Xq82RtBFFNe8ipbNF7Vncb/IUDzwcYAs26UgUNHkFSS o7/F4QdJKTXW04wtL18LWvfKdzKdqRR5H4uklWsTWBm7O1u+KmzXYOVlkuXESJycN36s eFVg==
X-Gm-Message-State: AOAM53121YuZ2UyB0ldU/S+zne14l2imArez1ticeft+zsqD0tNX3MTh SlQ1//aJG+arNS3yDj9ITSe0vQCxJvzJWknbclo=
X-Google-Smtp-Source: ABdhPJx5RbOVMa7CEA/KCsjaASVzCKerszVIKDJTkYPn9ZuPTGVQzVq1rDuMMfuN4GMXSQ7/kqk07yAkEXK6FBZvD98=
X-Received: by 2002:a6b:1646:: with SMTP id 67mr16558283iow.189.1604466697283; Tue, 03 Nov 2020 21:11:37 -0800 (PST)
MIME-Version: 1.0
References: <CACS3ZpBJOfctZjW0qUD+2p1vw63p9KeJ+ie15SHE=k_fk6suTw@mail.gmail.com> <CACS3ZpD7dL=gbZd_mqA21+qX2nvKh7TDj3cx3xJvEUc_bnRZfg@mail.gmail.com> <EB42CDCE-2BF5-462D-8CBF-0589998AC883@gmail.com>
In-Reply-To: <EB42CDCE-2BF5-462D-8CBF-0589998AC883@gmail.com>
From: Juhamatti Kuusisaari <juhamatk@gmail.com>
Date: Wed, 04 Nov 2020 07:11:24 +0200
Message-ID: <CACS3ZpCj+1XZC+RkQcGUaC90XcGBUF_OR_qor8V4Zn0nTSGrRg@mail.gmail.com>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
Cc: tcpm IETF list <tcpm@ietf.org>, Michael SCHARF <Michael.Scharf@hs-esslingen.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/SV6mArriy6iOjRHHJtX0taz14yg>
Subject: Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2020 05:11:40 -0000
Hello Mahesh, > Would it not be simple to add a ‘default true’ to ‘include-tcp-options’ to achieve the same result? Somehow my head does not comprehend a double negative very well :-). Yes, ‘default true’ to ‘include-tcp-options’ would achieve the same end result. However, I think it would guide implementers to have a special "include"-mode for options in the TCP AO implementation, especially as TCP MD5 does not have options included. There should be nothing special about including options, the special part is to ignore them. Thus, I think 'ignore-tcp-options' is the way to go. Then again, having 'default true' with ‘include-tcp-options’ is certainly an improvement and another valid choice. -- Juhamatti On Tue, 3 Nov 2020 at 19:11, Mahesh Jethanandani <mjethanandani@gmail.com> wrote: > > Hi Juhamatti, > > On Nov 1, 2020, at 1:06 AM, Juhamatti Kuusisaari <juhamatk@gmail.com> wrote: > > Hello, > > My comments included below apply also to draft-ietf-tcpm-yang-tcp-00. > > In brief: > * include-tcp-options -> ignore-tcp-options with default false > * accept-ao-mismatch -> accept-key-mismatch > > BR, > -- > Juhamatti > > > ---------- Forwarded message --------- > From: Juhamatti Kuusisaari <juhamatk@gmail.com> > Date: Fri, 18 Sep 2020 at 11:53 > Subject: [tcpm] Comments for draft-scharf-tcpm-yang-tcp-06 > To: tcpm IETF list <tcpm@ietf.org>, Scharf, Michael > <Michael.Scharf@hs-esslingen.de> > > > Hello, > > I read through draft-scharf-tcpm-yang-tcp-06 and overall it looks fine to me. > > Nevertheless, there are a couple of items that may need > clarifications/improvements. > > (1) I believe "leaf include-tcp-options" should be "leaf > ignore-tcp-options" with a false default as the options are included > by default in the RFC 5925. In my opinion, this would better emphasize > the fact that options really should be included by default and not > including them should be a special case. Change suggestion in detail > below: > > leaf include-tcp-options { > type boolean; > must "../enable-ao = 'true'"; > description > "Include TCP options in HMAC calculation."; > } > => > leaf ignore-tcp-options { > type boolean; > default "false"; > must "../enable-ao = 'true'"; > description > "Ignore TCP options in MAC calculation."; > } > > > Would it not be simple to add a ‘default true’ to ‘include-tcp-options’ to achieve the same result? Somehow my head does not comprehend a double negative very well :-). > > Please also note the "HMAC"->"MAC" change suggestion. And yes, I do > realize that a default could be added to the original "include" leaf. > After pondering about this, I do think "ignore" leaf would be a better > end result for the reasons I mentioned above. > > (2) There is now a leaf that says: > > leaf accept-ao-mismatch { > type boolean; > must "../enable-ao = 'true'"; > description > "Accept packets with HMAC mismatch."; > } > > It is true that RFC 5925 allows non-existing MKT connections that > should be accepted. Then again, the above configuration and its > description looks to me that any mismatch would be accepted. So, maybe > a configuration setting better reflecting RFC 5925 would be something > on the lines of > > leaf accept-key-mismatch { > type boolean; > must "../enable-ao = 'true'"; > description > "Accept TCP segments with a Master Key Tuple (MKT) that is > not configured."; > } > > As this configuration option does not have such a strong default as > the former one, I do not see a need to change its logic otherwise nor > add a default. I would assume that most security aware users would > have "false" there as a setting - especially those users that would > use a YANG model to do the configuration. > > > I am fine with making this change. > > Thanks > > > Best regards, > -- > Juhamatti > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm > > > Mahesh Jethanandani > mjethanandani@gmail.com > > > > >
- [tcpm] Comments for draft-scharf-tcpm-yang-tcp-06 Juhamatti Kuusisaari
- [tcpm] Comments for draft-ietf-tcpm-yang-tcp-00 Juhamatti Kuusisaari
- Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-… Scharf, Michael
- Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-… Mahesh Jethanandani
- Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-… Juhamatti Kuusisaari
- Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-… Joseph Touch
- Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-… tom petch
- Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-… Joseph Touch
- Re: [tcpm] Comments for draft-ietf-tcpm-yang-tcp-… tom petch